Skip to main content

Quick reference for building LDAP search filters.

---
title: LDAP Search Filter Cheatsheet
author: Jon LaBelle
date: January 4, 2021
source: https://jonlabelle.com/snippets/view/markdown/ldap-search-filter-cheatsheet
notoc: true
---

A comprehensive reference for constructing LDAP search filters, with practical examples for common queries.

- [Filter operators](#filter-operators)
  - [Comparison operators](#comparison-operators)
  - [Combination operators](#combination-operators)
  - [Special Characters](#special-characters)
- [objectCategory and objectClass](#objectcategory-and-objectclass)
- [Filter basics](#filter-basics)
  - [To match a single attribute](#to-match-a-single-attribute)
  - [To match two attributes (and)](#to-match-two-attributes-and)
  - [To match two attributes (or)](#to-match-two-attributes-or)
  - [To match three attributes (and)](#to-match-three-attributes-and)
  - [To match three attributes (or)](#to-match-three-attributes-or)
  - [To perform a wildcard search](#to-perform-a-wildcard-search)
- [Sample filters](#sample-filters)
  - [Users in group](#users-in-group)
  - [Users in group (include nested)](#users-in-group-include-nested)
  - [Users in multiple groups](#users-in-multiple-groups)
  - [Users that must change their password at next logon](#users-that-must-change-their-password-at-next-logon)
  - [Users starting with a particular name](#users-starting-with-a-particular-name)
  - [Users by job title](#users-by-job-title)
- [Active Directory filters](#active-directory-filters)
  - [Domain and Enterprise Admins](#domain-and-enterprise-admins)
  - [All users except blocked](#all-users-except-blocked)
  - [Disabled user accounts](#disabled-user-accounts)
  - [Users with password never expires enabled](#users-with-password-never-expires-enabled)
  - [Users with empty email](#users-with-empty-email)
  - [Users in department](#users-in-department)
  - [Exclude disabled users](#exclude-disabled-users)
- [Additional useful filters](#additional-useful-filters)
  - [Computer accounts](#computer-accounts)
  - [Service accounts](#service-accounts)
  - [Groups with specific attributes](#groups-with-specific-attributes)
  - [Objects modified within timeframe](#objects-modified-within-timeframe)
  - [Users by location](#users-by-location)
  - [Empty organizational units](#empty-organizational-units)
- [References](#references)
- [Additional Resources](#additional-resources)

## Filter operators

### Comparison operators

The following comparison operators can be used in a filter:

| Operator | Meaning                  |
| -------- | ------------------------ |
| `=`      | Equality                 |
| `>=`     | Greater than or equal to |
| `<=`     | Less than or equal to    |
| `~=`     | Approximately equal to   |

For example, the following filter returns all objects with _cn_ (common name) attribute value _Jon_:

```plaintext
(cn=Jon)
```

### Combination operators

Filters can be combined using boolean operators when there are multiple search conditions:

| Operator | Description                              |
| -------- | ---------------------------------------- |
| `&`      | AND — all conditions must be met         |
| `\|`     | OR — any number of conditions can be met |
| `!`      | NOT — the condition must not be met      |

For example, to select objects with _cn_ equal to _Jon_ and _sn_ (surname/last name) equal to _Brian_:

```plaintext
(&(cn=Jon)(sn=Brian))
```

### Special Characters

The LDAP filter specification assigns special meaning to the following characters:

| Character | Hex Representation |
| --------- | ------------------ |
| `*`       | `\2A`              |
| `(`       | `\28`              |
| `)`       | `\29`              |
| `\`       | `\5C`              |
| `Nul`     | `\00`              |

For example, to find all objects where the common name is `James Jim*) Smith`, the LDAP filter would be:

```plaintext
(cn=James Jim\2A\29 Smith)
```

## objectCategory and objectClass

| objectCategory       | objectClass          | Result                    |
| -------------------- | -------------------- | ------------------------- |
| person               | user                 | user objects              |
| person               | n/a                  | user and contact objects  |
| person               | contact              | contact objects           |
| user                 | n/a                  | user and computer objects |
| computer             | n/a                  | computer objects          |
| contact              | n/a                  | contact objects           |
| group                | n/a                  | group objects             |
| n/a                  | group                | group objects             |
| person               | organizationalPerson | user and contact objects  |
| organizationalPerson | n/a                  | user and contact objects  |

> **Use objectCategory instead of objectClass in your filters.**
>
> `objectCategory` is faster because it's single-valued and indexed. `objectClass` is multi-valued and typically not indexed, making queries slower.

## Filter basics

### To match a single attribute

```plaintext
(sAMAccountName=SomeAccountName)
```

### To match two attributes (and)

```plaintext
(&(objectClass=person)(objectClass=user))
```

### To match two attributes (or)

```plaintext
(|(objectClass=person)(objectClass=user))
```

### To match three attributes (and)

```plaintext
(&(objectClass=user)(objectClass=top)(objectClass=person))
```

### To match three attributes (or)

```plaintext
(|(objectClass=user)(objectClass=top)(objectClass=person))
```

### To perform a wildcard search

```plaintext
(&(objectClass=user)(cn=*Marketing*))
```

## Sample filters

### Users in group

To retrieve user account names (`sAMAccountName`) that are a member of a particular group (`SomeGroupName`):

```plaintext
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=SomeGroupName,ou=users,dc=company,dc=com))
```

### Users in group (include nested)

To retrieve user account names (`sAMAccountName`), and nested user account names that are a member of a particular group (`SomeGroupName`):

```plaintext
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=SomeGroupName,ou=users,dc=company,dc=com))
```

### Users in multiple groups

To retrieve user account names (`sAMAccountName`) that are a member of any of the 4 groups (`fire`, `wind`, `water`, `heart`):

```plaintext
(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=fire,ou=users,dc=company,dc=com)(memberOf=cn=wind,ou=users,dc=company,dc=com)(memberOf=cn=water,ou=users,dc=company,dc=com)(memberOf=cn=heart,ou=users,dc=company,dc=com)))
```

### Users that must change their password at next logon

To search Active Directory for users that must change their password at next logon:

```plaintext
(&(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
```

### Users starting with a particular name

To search _user_ objects that start with Common Name _Brian_ (`cn=Brian*`):

```plaintext
(&(objectClass=user)(cn=Brian*))
```

### Users by job title

To find all users with a job title starting with _Manager_ (`Title=Manager*`):

```plaintext
(&(objectCategory=person)(objectClass=user)(Title=Manager*))
```

## Active Directory filters

Search filters supported only by Microsoft Active Directory.

### Domain and Enterprise Admins

To search for administrators in groups Domain Admins, Enterprise Admins:

```plaintext
(&(objectClass=user)(objectCategory=Person)(adminCount=1))
```

### All users except blocked

To search all users except for blocked ones:

```plaintext
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
```

### Disabled user accounts

To list only disabled user accounts:

```plaintext
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
```

### Users with password never expires enabled

```plaintext
(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
```

### Users with empty email

```plaintext
(&(objectCategory=person)(!(mail=*)))
```

### Users in department

To search users in a particular department:

```plaintext
(&(objectCategory=person)(objectClass=user)(department=Sales))
```

### Exclude disabled users

To find a user (`sAMAccountName=username`) that isn't disabled:

```plaintext
(&(objectCategory=person)(objectClass=user)(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=username))
```

- The filter `(sAMAccountType=805306368)` on user objects is more efficient, but is harder to remember.
- The filter `(!(userAccountControl:1.2.840.113556.1.4.803:=2))` excludes disabled user objects.

## Additional useful filters

### Computer accounts

To find all computer accounts in Active Directory:

```plaintext
(objectCategory=computer)
```

To find computer accounts that are not disabled:

```plaintext
(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
```

### Service accounts

To find service accounts (accounts with Service Principal Names):

```plaintext
(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))
```

To find accounts used as service accounts that don't require Kerberos pre-authentication:

```plaintext
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
```

### Groups with specific attributes

To find all security groups:

```plaintext
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
```

To find all distribution groups:

```plaintext
(&(objectCategory=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
```

To find empty groups (no members):

```plaintext
(&(objectCategory=group)(!(member=*)))
```

### Objects modified within timeframe

To find objects modified after a specific date (uses generalized time format):

```plaintext
(whenChanged>=20240101000000.0Z)
```

To find objects created within the last 30 days (approximate):

```plaintext
(whenCreated>=20240715000000.0Z)
```

### Users by location

To find users in a specific city:

```plaintext
(&(objectCategory=person)(objectClass=user)(l=New York))
```

To find users in a specific state/province:

```plaintext
(&(objectCategory=person)(objectClass=user)(st=California))
```

To find users in a specific country:

```plaintext
(&(objectCategory=person)(objectClass=user)(co=United States))
```

### Empty organizational units

To find organizational units with no child objects:

```plaintext
(&(objectCategory=organizationalUnit)(!(ou=*)))
```

## References

- [Atlassian Support: How to write LDAP search filters](https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html)
- [TheITBros.com: Active Directory LDAP Query Examples](https://theitbros.com/ldap-query-examples-active-directory/)
- [Active Directory: LDAP Syntax Filters](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)

## Additional Resources

- [Active Directory Glossary](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx) - This is a glossary of terms and acronyms used in Active Directory and related technologies.
- [Microsoft Docs: Active Directory Schema (AD Schema) Definitions](https://docs.microsoft.com/en-us/windows/win32/adschema/active-directory-schema) - Formal definitions of every attribute that can exist in an Active Directory object.